Slovenia: ZVOP-2 enters into force - What you need to know
The last Member State to adapt its national data protection framework to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), Slovenia adopted, in December 2022, the Data Protection Act 2022 ('ZVOP-2')1, which entered into force on 26 January 2023, thus repealing the Data Protection Act 2004 ('ZVOP-1')2. In this Insight article, OneTrust DataGuidance Research brings you up to speed with the changes brought about by the ZVOP-2.
The GDPR, while directly binding and applicable in all EU Member States since its entry into force on 25 May 2018, grants Member States a margin to specify or derogate some of its provisions at national level. Accordingly, the ZVOP-2 regulates those substantive and procedural aspects that the GDPR leaves to the discretion of the Member States. However, there is broad consensus that the ZVOP-2 goes well beyond the derogation provisions of the GDPR. Below is an overview of some of the key provisions under the ZVOP-2.
Special category data
In addition to the requirements under Article 9(2) of the GDPR, the ZVOP-2 establishes further conditions for the processing of special category data. In particular, Article 6(2) of the ZVOP-2 stipulates that the processing of personal data due to the implementation of a legal obligation, public interest, or the exercise of public authority in the cases referred Article 6(c) and (e) of the GDPR is only legal if the following is determined by law:
- the processing of personal data;
- the types of personal data that should be processed;
- the categories of individuals to whom this personal data relates;
- the purpose of their processing; and
- the retention period of personal data or the period for regular review of the need for retention.
In addition, Article 6(5) of the ZVOP-2 provides that the processing of personal data concerning national or ethnic origin by the public sector may be permitted by law, but solely in cases where strictly necessary for, among others, ensuring equal opportunities, and similar purposes.
Similarly, according to Article 6(6) of ZVOP-2, in the field of intelligence, security, and counterintelligence, personal data, including special types of personal data, may be collected and further processed, notwithstanding the provisions of Article 9(2) of the GDPR, if strictly necessary and if provided by law.
Biometric and genetic data
Moreover, as permitted by Article 9(4), as well as Recital 54, of the GDPR, the ZVOP-2 introduces further conditions to the processing of biometric and genetic data for both the public and private sectors (Articles 81 to 84 of the ZVOP-2). In particular, it is prohibited to link collections of biometric personal data with other collections and to enable portability of this data in accordance with Article 20 of the GDPR, unless this is stipulated by another law, or the individual to whom the biometric personal data relates consents. On the other hand, it is permissible to process the genetic data of an individual when this is stipulated by another law, for the purposes of providing healthcare or when the processing is necessary for the implementation of a contract concluded solely for the purpose of processing genetic data for the benefit of the contracting party, who is the individual to whom the data relates.
Specifically, Articles 83 of the ZVOP-2 regulates the processing of biometric data by the private sector, which, generally, may only be carried out if it is strictly necessary for the performance of activities, the safety of individuals and property, the protection of classified information, or trade secrets, and must be certified by the Information Commissioner ('the Commissioner') in accordance with Article 52 of the ZVOP-2 (approved authentication mechanisms).
In this regard, the Commissioner noted that it will not be sufficient to meet the requirements of the ZVOP-2 to merely state the reasons for the processing of biometric data, such as the introduction of measures to record work attendance, without adequate justification supported by evidence that the processing in question is strictly necessary for one of the purposes outlined under Article 83 of the ZVOP-23.
As an exception to the above rule, a private sector entity may also process biometric personal data:
- in order to protect the accuracy of the identity of its customers, but only if this is provided for by another law, if it is specifically provided for in a contract, or if the parties have given their explicit consent, and solely for the purposes of protecting the interests mentioned above (Article 83(2) of the ZVOP-2); or
- provided that the processing operations are under the customer's exclusive control or authority and certified pursuant to Article 52 of the ZVOP-2, so that the customer is allowed to explicitly authorise the processing of this data by other processors and controllers for the purpose of proving the accuracy of their identity (Article 83(3) of the ZVOP-2).
A private entity that seeks to process biometric data is obliged, before commencing the processing, to notify individuals in writing, with further obligations in case the processing is carried out by employers, and to notify the Commissioner, providing a description of the intended processing and the reasons for the same (Articles 83(4) and 83(5) of the ZVOP-2). After receiving the information, the supervisory authority will decide within two months whether the processing of biometric data is permitted. The deadline may be extended by a maximum of two months, taking into account the complexity of the intended processing (Articles 83(6) of the ZVOP-2).
Prohibition of marketing processing
Notably, Article 84 of the ZVOP-2 lays down a prohibition affecting the marketing sector. In this context, biometric personal data may not be requested, obtained, or further processed in exchange for certain services, even if those services are free of charge for the data subject involved.
Age of children
With regard to offering information society services to a child, under the ZVOP-2, the age of valid consent for minors is 15 years, whereas the GDPR sets the age limit for valid consent to 16. If the child is under 15 years of age, consent is only valid if it is given or approved by one of the child's parents, their guardian, or a person to whom parental care is granted.
Personal data of deceased
Moving away from the GDPR, which does not apply to the personal data of deceased (Recital 27 of the GDPR), the ZVOP-2 regulates in detail the processing of personal data of deceased data subjects (Article 9 of the ZVOP-2). Specifically, the provisions of Article 9 of the ZVOP-2 apply to the personal data of deceased individuals for 20 years after their death, unless another law provides otherwise.
Among other things, the ZVOP-2 provides that, at their request, a data controller may communicate the personal data concerning them to their spouse, law partner, children, parents, or heirs, unless the deceased expressed their opposition to the same before their passing away. Personal data of deceased may also be disclosed by the data controller to a third party for scientific and historical research, educational, statistical, or archival purposes, in certain circumstances.
Response to a data subject's request
When responding to a request by a data subject, whether in relation to their rights under Articles 15 to 22 of the GDPR or not, data controllers must explain the reasons of their decision to the individual and provide information about the right to lodge a complaint with the Commissioner (Article 14 of the ZVOP-2). Notably, data subjects have only 15 days, counted from the date on which they are informed of the decision against them, to submit an appeal to the Commissioner.
Any information, message, response, and action of the controller pertaining to the exercise of rights by the data subject, or in response to any other type of requests related to the protection of personal data, must be provided free of charge (Article 17(1) of the ZVOP-2). Only in case of unfounded or excessive requests, and especially in case of repeated requests, data controllers may charge a reasonable fee, which must only cover the material costs of providing the information, response, communication, or actions (Article 17(2) of the ZVOP-2).
Compared to the GDPR, the ZVOP-2 lays down tightened security obligations. Specifically, two new security requirements are introduced, namely the administration of a traceability log and the security of 'special processing' activities. It is worth nothing that the applicability of the obligations in question is postponed. In this regard, please see the section below on 'Transitional provisions'.
According to Article 22 of the ZVOP-2, data controllers who process large amounts of sensitive personal data or regularly monitor individuals, or those who identify a risk when conducting a Data Protection Impact Assessments ('DPIA') that can be addressed affectively by keeping a traceability log, or otherwise so required by law, will be required to keep a log tracking the following data processing operations (Article 22 (1) of the ZVOP-2):
- disclosure, including transfers;
- erasure; and
- any other processing operations provided for by law.
The logs so maintained shall only be used to demonstrate the lawfulness of the processing carried out and for internal audit purposes, to ensure the integrity and security of the personal data concerned, and to rectify malfunctions in the operation of the information system used or the processing of data (Article 22(3) of the ZVOP-2).
Importantly, the ZVOP-2 mandates specific retention periods for traceability logs. As a rule, the content of the traceability log shall be kept for two years from the end of the calendar year in which the processing operations were recorded. In certain cases, a maximum retention period of five years is established.
In addition to the security requirements under the GDPR, the ZVOP-2 subjects certain processing operations, referred to as 'special processing', to the tightened security and incident reporting requirements laid down by the Slovenian Information Security Act No. 30/18, as amended ('the Act')4, regardless of whether an organisation is obliged to take measures under the Act in regard to the processing operations considered. 'Special processing' encompasses information systems in which:
- the processing of personal data is carried out as provided for in the laws governing administrative home affairs, financial administration, citizenship, the Slovenian Intelligence and Security Agency, defence, healthcare, compulsory health insurance, the exercise of rights deriving from public funds, and criminal records;
- personal data of more than 100,000 individuals is processed on the basis of the law, with the exception of the processing of personal data referred to in Chapter 3 of Part 2 of the ZVOP-2 (i.e. video surveillance);
- the controller or processor carries out large-scale processing of special categories of personal data as its core activity; or
- special categories of personal data of more than 10,000 individuals are processed.
Importantly, the ZVOP-2 also establishes data localisation requirements for such data, stipulating that the collection of personal data outlined above may not be stored outside the territory of the Republic of Slovenia.
Moreover, the ZVOP-2 establishes that where a breach of the security of personal data processed in the information systems could seriously harm the security or interests of the Republic of Slovenia, controllers or processors must process such data in such a way as to systematically prevent the destruction, unlawful alteration, or disclosure of the personal data to unauthorised persons or to other entities which do not have a legal basis for accessing or processing it, and thereby to permanently prevent serious damage to the security or interests of the Republic of Slovenia.
DPIA and prior consultation
In addition to the above, before commencing a special processing pursuant to Article 22 of the ZVOP-2, a DPIA and a prior consultation, as governed by Articles 35 and 36 of the GDPR respectively, must be carried out (Article 24(1) of the ZVOP-2). In addition, a DPIA must be re-executed in such cases before the processing commences where the legal basis relied upon changes (Article 24(2) of the ZVOP-2).
DPO appointment and requirements
The ZVOP-2 further specifies the rules governing the designation of data protection officers ('DPOs'). In particular, in addition to the cases in which the GDPR mandates the designation of a DPO, the ZVOP-2 requires the appointment of a DPO by entities concerned with 'special processing' operations pursuant to Article 23 of the ZVOP-2 (Article 45(1) of the ZVOP-2). In addition, the ZVOP-2 obliges controllers and processors to make the details of the DPO publicly available within eight days of its designation, and to record the same in their records of processing activities within the same timeframe (Article 45(4) of the ZVOP-2).
Importantly, the ZVOP-2 adds two requirements for the appointment of a DPO, who, in addition to meeting the criteria laid down by the GDPR, must also:
- have the capacity to act; and
- have not been sentenced to a custodial sentence of at least six months or been convicted of a criminal offence concerning the misuse of personal data.
Additional rules and conditions are also imposed depending on whether the DPO is employed in the public or private sector or by a trade union (Articles 46 to 50 of the ZVOP-2).
The ZVOP-2 contains specific provisions on data transfers that apply to a very narrow range of processing of personal data, namely, only to processing operations that take place in areas outside the scope of EU law, such as national security and national defence, and the processing of data of deceased data subjects.
For all other controllers and processors, only the provisions of Chapter V of the GDPR are fully applicable.
Video surveillance is specifically regulated by the ZVOP-2, with Articles 76 to 80 addressing, among other things, video surveillance within work premises and in public areas.
As a general rule, the reasons for introducing video surveillance must be documented in writing (Article 76(2) of the ZVOP-2) and a notice shall be published, in a distinct and visible manner, on the use of video surveillance, which must contain, in addition to the information prescribed by Article 13 of the GDPR:
- a written or unequivocally graphical description of the fact that video surveillance is being carried out;
- processing purposes, the indication of the operator of the video surveillance system, its telephone number, email address, or web address for the purposes of exercising the data subject's rights;
- information on specific effects of processing, in particular further processing;
- contact details of the DPO; and
- other processing information, such as transfers to entities in third countries, live monitoring of events, and the possibility of audio intervention in the case of live monitoring of events.
Video surveillance recordings may be kept for a maximum of one year from the moment the recording was made, with the controller of the video surveillance system being required to keep a data processing log pursuant to Article 22 of the ZVOP-2.
Among other things, in regard to video surveillance of official office or business premises, the use of the same to monitor access to official business premises, both in the public and private sector, is permitted only if it is necessary for the security of persons or property, to ensure control of entry to, or exit from, those premises, or where, due to the nature of the work, there is a risk of endangering employees (Article 77 of the ZVOP-2). ZVOP-2 explicitly prohibits video surveillance in elevators, restrooms, changing rooms, hotel rooms, and other similar spaces where an individual reasonably expects a higher level of privacy.
Not dissimilarly, video surveillance may be carried out in the workplace only where it is strictly necessary for the safety of persons or property, for the prevention or detection of crime, or for the protection of confidential information or business secrets, and these purposes cannot be achieved by less intrusive means (Article 78 of the ZVOP-2). It is forbidden to use video surveillance to record workplaces where an employee usually works, unless this is necessary in accordance with the first paragraph of this article (Article 78(3) of the ZVOP-2).
Furthermore, before introducing video surveillance in the public or private sector, the employer must consult with the representative trade unions of the employer and the works council or workers' trustees (Article 78(6) of the ZVOP-2).
Supervision and enforcement
Slovenia's persistent failure to adapt its framework to the GDPR, and especially the delay in laying down rules to govern the European Commission ('the Commission'), attracted the Commission's scrutiny5. Now, the ZVOP-2 enables the Commission to effectively discharge its supervisory role and to exercise the corrective powers provided under the GDPR.
With the adoption of the ZVOP-2, the Commissioner may impose monetary penalties, framed as misdemeanour offences, according to, and in the amount specified in, the GDPR, which are significantly higher than under the ZVOP-1, whereby fines were up to €4,170 for legal entities and €830 for responsible persons of a legal entity (Article 93 of the ZVOP-1). In this regard, it is worth highlighting that the ZVOP-2 maintains separate fine ranges when the violation is committed by a legal person or by a responsible person of the same. For example, a fine of between €200 and €8,000 will be imposed on the responsible person of a legal entity, a self-employed individual, or an individual carrying out an activity independently which:
- violates the fundamental principles for processing, including the conditions for consent, as set out in Articles 5, 6, 7 and 9 of the GDPR;
- violates the rights of the individual to whom the data refers, as specified in Articles 12 to 22 of the GDPR;
- violates the provisions regarding the transfer of personal data to a user in a third country or an international organisation, as specified in Articles 44 to 49 of the GDPR;
- does not comply with the order or temporary or final restriction of processing or interruption of data transfers issued by the supervisory authority in accordance with Article 58(2) of the GDPR, or if it does not provide access, thereby violating Article 58(1) of the GDPR; or
- does not take into account the corrective measures imposed by the competent supervisory authority in accordance with Article 58(2) of the GDPR.
While most of the obligations of the ZVOP-2 entered into force on 26 January 2023, the applicability of other provisions has been delayed until after a transitional period, effectively granting organisations a grace period.
Notably, the traceability log obligations and the security requirements for special processing operations will only apply from 26 January 2025 and 26 January 2026, respectively.
Similarly, controllers and processors must comply with the provisions of Article 79 of the ZVOP-2 within six months of the entry into force of the same, with regard to the processing of personal data relating to video surveillance in public transport (Article 122 of the ZVOP-2).
Anna Baldin Senior Privacy Analyst
1. Available at: https://www.ip-rs.si/zakonodaja/zakon-o-varstvu-osebnih-podatkov/ (only available in Slovenian)
2. Available at: https://www.dataguidance.com/legal-research/personal-data-protection-act-2004
3. Available at: https://www.ip-rs.si/varstvo-osebnih-podatkov/obveznosti-upravljavcev/prijava-biometrijskih-ukrepov/ (only available in Slovenian)
4. Available at: http://www.pisrs.si/Pis.web/pregledPredpisa?id=ZAKO7707 (only available in Slovenian)
5. See at: https://ec.europa.eu/commission/presscorner/detail/en/inf_22_3768